Summary
Ginwui is a fully-featured backdoor with rootkit features. This backdoor was distributed inside a document file with a shell-code that dropped the backdoor's file to a hard drive and activated it.
Detailed Description
The shell-code in the Word document decrypts and drops the backdoor's file as CSRSE.EXE to the temporary folder and activates it.
After being run the dropped file in its turn extracts and drops another file to a system. This file is dropped as WINGUIS.DLL to Windows System folder and its DoHook function is activated by the dropper. The dropper then deletes itself from a system.
The dropped DLL file is the main backdoor component. It traps several functions and modifies information that is passed to a user. As a result the backdoor's file, startup key in the Registry and process are not visible to a user.
The backdoor creates a startup key for its file in the Registry:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "%WinSysDir%\winguis.dll"
where %WinSysDir% represents Windows System folder which by default has the C:\Windows\System32\ name.
Being active the backdoor connects to specified address in order to receive commands from a hacker. The backdoor allows a hacker to do any of the following on an infected computer:
-> create, read, write, delete and search for files and directories
-> access and modify the Registry
-> manipulate services
-> tart and kill processes
-> take screenshots
-> enumerate open windows
-> create its own application window
-> get information about infected computer
-> lock, restart or shutdown Windows
-> create a pipe and read files from it
start a remote command shell
enumerate network resources
The backdoor also creates 3 empty SYS files in the \drivers\ subfolder of Windows System folder.
...
..
.
Write-up: Alexey Podrezov, May 19, 2006
Technical Details: Alexey Podrezov, May 19, 2006